Senator Brian Schatz wants to make powerful technology companies more like banks, law firms, and hospitals—at least in terms of how they handle data.
In late December, the Hawaii Democrat, one of big tech’s most vocal critics on Capitol Hill, introduced legislation that would change the relationship between the public and the companies they hand their data over to by making them legally liable for handling it responsibly, as in the financial services, legal, and healthcare sectors. Organizations in these fields are legally obligated to not misuse personal data, to not exploit it, and to treat it with a relative degree of care—commitments Schatz and the public believe technology companies aren’t fulfilling.
The idea isn’t new—Jack Balkin, a professor at Yale Law School and the founder and director of Yale’s Information Society Project, proposed the idea of an information fiduciary back in 2016—but Schatz’s bill, currently cosponsored by 14 Democrats is, the first major attempt at federal legislation that would hold companies accountable for how they use consumer data. (This year, California passed similar legislation, fought by big tech lobbyists.) The bill comes after a year of public reckoning with how much power technology companies have, as Facebook scandals involving Cambridge Analytica data collection and election meddling have transformed Silicon Valley from America’s startup darlings to the country’s biggest corporate creeps.
One week after he introduced the bill, the New York Times revealed new details about Facebook’s partnerships with companies like Spotify and Netflix that extended far-reaching access to user data, including personal messages. These kinds of stories, Schatz said, will help motivate lawmakers to finally bring federal regulation to Silicon Valley. Schatz, who envisions his bill as one part of a larger and ultimately bi-partisan legislative effort, spoke with Mother Jones shortly after the Times story’s release.
Mother Jones: What’s the impetus for the data sharing legislation, and what do you think the impact will be?
Senator Brian Schatz: The name we’re going with is the Data Care Act. We’re not using the word fiduciary, because that has a tendency to create confusion because of various other legal connotations. But what’s clear is that there’s an opportunity to do something big and bipartisan on privacy and that these companies are not going to voluntarily behave. They lack the will. And I think they’re not even sure what they would do if they could conjure the will.
They need to be overseen by federal agencies with real authority to make rules and levy fines. We want to establish a statutory framework where there are three main duties, the duty of care, which is essentially cybersecurity, to secure the data, and to inform people if there are breaches, a duty of loyalty. Loyalty, in my view, is the most important and foundational aspect of the bill, which is to say that whatever the circumstances are, the data being collected online, whether it’s through the Internet of Things, or through a social network, or from the cable company or whatever, whomever collects the data has a duty not to utilize that data to the detriment of the user. Third, is the duty of confidentiality, which essentially attaches the first two duties to any partners or third-party providers that may have a relationship with the company that originally collected the data.
As you can tell, these are simple principles that are understandable and can stand the test of time. We have to future proof any policy for two reasons: First, if we’re too prescriptive in the language of the bill, software engineers and lawyers will fixate on the line which is written and just circumvent it almost immediately. Second, we know that times will change. Data collection will change. The internet itself will change and it’s important to lay down these broad principles and empower the expert agency to flesh them out through rulemaking and through levying fines.
MJ: How do you define ‘using data to the detriment of the user’? How do you make sure that companies don’t abuse the ambiguity of that phrase?
BS: The smartest way to not run afoul of that duty is to stay as far away from the line as possible. As long as you are loyal to your customer, you should be fine. If you have secret partnerships, wherein which your data is being sold, or shared with foreign adversaries, then you’re being disloyal.
If I search for flights to Maui, and then on the same platform, I get an ad that says there’s a special on Maui, no one’s getting harmed.
Some of this will have to be adjudicated by the Federal Trade Commission. But that’s the point. Under the FTC, companies know you can’t do anything unfair and deceptive. Some corporate operations fly as close to that line as possible, but most businesses just know that to the extent that they’re doing anything deceptive, they’re going to be in trouble with the law. I think the same approach would apply for this duty of loyalty.
MJ: How might this legislation affect things like the revelations in the New York Times story about Facebook sharing things like messages with companies like Netflix. Would that explicitly violate the consumer detriment clause?
BS: It’s possible that they would have violated all three of the major duties. Certainly, the duty of loyalty. The partnerships were worse than opaque, they’re actually secrets. For example, I did not sign up for the Royal Bank of Canada to read my messages.
MJ: Even though this is legislation isn’t quite explicitly making companies data fiduciaries, what you’re proposing runs parallel to that. Some of the other examples of industries that operate as data fiduciaries, like you said, are banks, the medical industry, and lawyers. All of these industries have their own large number of problems. Banks, for example, have figured out ways to hurt consumers via less direct means and on a more macro level. Would there have to be a separate piece of legislation that would address what technology companies could do outside the purview this law?
BS: Well, I think they should be more like banks from the cybersecurity and privacy standpoint. I don’t think they should be like banks in terms of charging you to get your money out, or harming consumers at the pocketbook level. To get to your broader question, this bill is, I think, the foundation for what we’re going to do going forward, but it is not everything. Senators Blumenthal, Moran, Wicker and others have good ideas. Eventually, we’re going to be in a position to do a big privacy package on a bipartisan basis, and I don’t anticipate that this will be the only thing in it.
MJ: Does that position rely on a Democratic majority, or does it rely on momentum finally catching among Republicans?
BS: Two things. First, the politics is scrambled. It is not the case that Democrats and tech are in a mutual admiration society anymore. It’s not the case that Republicans are too “pro-business” to take action in terms of regulation. Everybody understands that there needs to be something done. And second, the industry is terrified of the California law going into place, and that is providing a fair amount of momentum in the Capitol.
MJ: Have you talked to tech lobbying groups about this? Are they already trying to tweak this? Is there an aversion? Or is tech more amenable to this than other types of regulation?
BS: Tech is not sure what to make of this. But I think that they’re highly motivated to get a federal law. Their initial position was “please do a federal law in order to preempt California law,” and I’ve been loud and clear: we’re not doing non-progressive federal law to preempt a progressive state law. The only thing that will replace and preempt California’s statute is a strong progressive federal privacy framework.
MJ: Are you potentially going to have Republican cosponsors?
BS: I don’t know how it’s going to play out sort of in terms of the mechanics, but we’ve had a lot of constructive conversations with several Republicans. But I, frankly, don’t know whether we’re going to end up with Republicans co-sponsoring the existing legislation or if we pile this into a package with four or five other elements.
MJ: Do you think that the energy on the Republican side about conservative bias is a distracting force? Or do you think it can be repositioned and used to get legislation like this through?
BS: I don’t want to pretend I have an answer to that. But I think it’s an interesting question. I just don’t know.
MJ: So there’s not a chance that we could see Senator Schatz being like “Hey Twitter, why are you shadow banning Matt Gaetz?”
BS: Yeah, yeah, exactly. I don’t even know what that is.
MJ: With the New York Times story, it seems like people are very mad. It’s hard to track what makes stocks do what they do, but Facebook is down 6 percent today. Senators are tweeting about the story. Are we at the point where we get another hearing and Facebook gets called back?
BS: Count me among those that are skeptical that we need another hearing with 48 Senators with five minutes each and a tech CEO, any tech CEO, not answering questions. It’s time to have a legislative hearing. Pointing our fingers and pontificating is not going to ensure that anyone’s privacy is protected. What we have to do is the hard work of legislating.
MJ: How do you get to that point? This has been going on for a year. You’ve been talking about this. So have Senators Warner and Klobuchar. They have their own legislation that’s been sitting out. Their legislation isn’t that radical or extreme and they can’t gather any sort of momentum. What is the breaking point? We’ve seen all of these things happen and the needle on legislation still doesn’t move.
BS: I think over the last several months, things are different now. I think the New York Times revelations were impactful. I think more generally speaking, the Times stories advanced the understanding of how the platforms were used in the 2016 election. It’s also Nancy Pelosi being speaker. It’s California. The momentum is there and this issue is relevant.
MJ: What are your reactions to what the Times revealed about what Facebook was doing?
BS: It’s appalling. But the silver lining is that I can’t find anyone that thinks this is no big deal. I can’t find a senator who says “we should do nothing on privacy, and, like, the free market will figure this out.” Although, I haven’t talked to Rand Paul about it.